t2 '15 - Call For Papers - Helsinki, Finland
t2 has issued a Call For Papers, in this instance to fulfill their t2 infosec conference, slated for October 29th to the 30th (inclusive), in stunningly beautiful Helsinki, Finland. (Helsinki, Finland) - October 29 - 30, 2015. Viihtyä!!
"Why spend your valuable conference time in the longest lines you have seen in your life, getting a sun burn or totally lost in the canals with your rental boat, being deprived of chewing gum or waking up in Nong Palai without any recollection how you got there? Helsinki offers you the safe and comfortable low-temperature alternative with a chance of first snow. Finland, the home country of many things you thought came from Japan." via t2
Mad John
News, of the surfacing of John McAfee at last week's Infosec 2015 confab in London, United Kingdom; at which, oddities ensue, mayhem kept at a minimum. All in all, a good time was had by all... Read the full story here.
Steganography, In the Round →
A more complete explanation, via Sophos security blog Naked Security author Paul Ducklin, of steganography in-the-round, as it were...
NIST Releases Revision 2, Guide to Industrial Control Systems (ICS) Security
The National Institute of Standards and Technology (NIST) has announced the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. Outstanding.
New PayPal User Agreement, Demands Your Firstborn...
or Why-I-Am-Not-A-PayPal-Customer...
via The Washington Post's Brian Fung, comes the unsurprising news of blatant stupidity amongst the cubicles at PayPal. This time, taking the shape and form of the company's new user agreement. How this will play out, once the Federal Trade Commission takes a gander is anyone's guess. Read it and Weep.
Litchfield Unleashes Database Security Scorecard →
via El Reg's Darren Pauli, comes good news from David Litchfield, this time, in the form of a newly authored security product targeting the in-built security issues within Oracle Corporation's (NYSE: ORCL) DBMS. Outstanding.
Sunday Security Maxim
Shannon’s (Kerckhoffs’) Maxim: The adversaries know and understand the security hardware and strategies being employed. Comment: This is one of the reasons why open source security (e.g., cryptography) makes sense.
Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”, i.e., security based on keeping long-term secrets, is not a good idea. Comment: Short-term secrets can create useful uncertainty for an adversary, such as temporary passwords and unpredictable schedules for guard rounds. But relying on long term secrets is not smart.
Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Saturday Security Maxim
Colsch's (Keep It Simple) Maxim: Security won't work if there are too many different security measures to manage, and/or they are too complicated or hard to use. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Operation Overlord, June 6, 1944
“… these men came here – British and our allies, and Americans – to storm these beaches for one purpose only, not to gain anything for ourselves, not to fulfill any ambitions that America had for conquest, but just to preserve freedom. . . . Many thousands of men have died for such ideals as these. . . but these young boys. . . were cut off in their prime. . . I devoutly hope that we will never again have to see such scenes as these. I think and hope, and pray, that humanity will have learned. . . we must find some way . . . to gain an eternal peace for this world.”
– Eisenhower: A Soldier’s Life, by Carlo D’Este (ISBN-10: 0805056874 Holt Paperbacks; First Edition)
Web Security Dojo 2.0
Web Security Dojo 2.0, a full self-contained integral security environment, has been released to the self-study intelligentsia. Suited for student directed education, the program is FOSS and a product of Maven Security Consulting, the Dojo environ is available via SourceForge now.
DevSecOps Edition, 10+ Hours of Information Security + DevOps Video →
The kind folks at DevOps have made their video collection of HD quality Security DevOps content from RSAC 2015 available (with the only catch of a registration form). Highly recommended.
'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel
House of Drafts →
via AlienVault's Russ Spitler, comes a tale of problematic security hygiene within customer instances at Amazon Web Services. This time, evidenced and bolstered by empirical research, the AlienVault researchers discovered "there is a good chunk of the EC2 users who left their front door open'.
I am fascinated with AlienVault's findings, (consider for a moment the issues are customer-based within their respective virtual environs), the scenario boggles.
Then, there is the recently published Amazon Web Services SOC 1, 2 and 3 Reports (Acronym definition: SOC - Service Organization Control). SOC 1 is one of the component reports that comprise the awkwardly monikered SSAE 16/ISAE 3402 artifact); of which, the SOC 1 and SOC 2 Reports are available to Amazon Web Services customers upon request, whilst the SOC 3 report is available to the public on demand. In this case, the SOC 3 report targets the WebTrust and SysTrust reviews. SysTrust is germaine to the AlienVault research, as it encompasses standard information security tenets of Integrity, Availability, Security and Confidentiality; which, apparently, many customers of the AWS EC2 product are blissfully unaware (at least those that are running the offending listeners).